in short...

First of all, why does npm suggest that it should only run as non-root? I highly disbelieve that every other package manager (apt, yum, gem, pacman) is wrong for requiring sudo.

Second, when I follow their suggestion (and run npm install as non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib because that seems like a very bad idea to me.

2 Answers
2

Actually, npm does not recommend not running as root. Well, not any more.

It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."

find out what the local DNS (or anyone else spoofing the DNS response or poisoning the DNS cache) says is the IP address of npmjs.org

connect with insecure TCP with that IP (or with whoever says it's his IP) on port 80

trust the router that you think you should talk to (or anyone who gave you the DHCP response said you should talk to) to deliver packets to the right host

possibly go through another layer of transparent caching proxy

trust all other networks between you and the other end of the TCP connection

don't know for sure who you are connected with

cross your fingers

request install.sh script over insecure HTTP with no verification whatsoever

and then run whatever was returned by whoever you're talking to with maximum privileges on your machine without even checking what is it.

As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:

DHCP spoofing

ARP spoofing

DNS cache poisoning

DNS response spoofing

TCP session hijacking

Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.

You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.

Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.

Thank you very much for that well thought out response! This helps me install npm without such security problems. However, once I install npm, my other part of the question still isn't answered. In other words, I can install npm now, but how do I use npm? do I run npm as root or not?
–
Alexander BirdFeb 16 '11 at 22:23

just kidding, I re-read the first.
–
Alexander BirdFeb 16 '11 at 22:26

1

@Zed Nice thoughts, but they don't really help you. As soon as you clone a git repo and run its makefile, you could be infected. As soon as you install just one malicious npm package, you could be infected. Also, as long as your account is able to sudo and you sometimes use it for that, not being root while getting infected has ~zero impact on the attackers abilities to do evil stuff.
–
thejhJan 8 '12 at 9:49

@thejh My advises don't help you if the software itself is malicious as intended by its author. But it helps in a much more probable situation where the software is fine but you are indeed not talking to the author but to someone who wants to serve you a trojaned version of that software. If you get the official version from GitHub then it is in my opinion much less likely that it is malicious. But of course being or not being root is pretty much irrelevant anyway since your private files in $HOME are usually the most important as I said, plus there is sudo as you said. 100% agree on that.
–
ZedJan 31 '13 at 10:32